"""Tests for certbot._internal.renewal"""
import copy
import datetime
import sys
import tempfile
import unittest
from unittest import mock

import configobj
import pytest

from acme import challenges, errors as acme_errors
from certbot import configuration
from certbot import errors
from certbot._internal import storage
import certbot.tests.util as test_util

from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serialization, hashes
from cryptography import x509

def make_cert_with_lifetime(not_before: datetime.datetime, lifetime_days: int) -> bytes:
    """Return PEM of a self-signed certificate with the given notBefore and lifetime."""
    key = ec.generate_private_key(ec.SECP256R1())
    not_after=not_before + datetime.timedelta(days=lifetime_days)
    cert = x509.CertificateBuilder(
        issuer_name=x509.Name([]),
        subject_name=x509.Name([]),
        public_key=key.public_key(),
        serial_number=x509.random_serial_number(),
        not_valid_before=not_before,
        not_valid_after=not_after,
    ).add_extension(
        x509.SubjectAlternativeName([x509.DNSName("example.com")]),
        critical=False,
    ).sign(
        private_key=key,
        algorithm=hashes.SHA256(),
    )
    return cert.public_bytes(serialization.Encoding.PEM)

class RenewalTest(test_util.ConfigTestCase):
    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_ancient_webroot_renewal_conf(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        rc_path = test_util.make_lineage(
            self.config.config_dir, 'sample-renewal-ancient.conf')
        self.config.account = None
        self.config.email = None
        self.config.webroot_path = None
        config = configuration.NamespaceConfig(self.config)
        lineage = storage.RenewableCert(rc_path, config)
        renewalparams = lineage.configuration['renewalparams']
        # pylint: disable=protected-access
        from certbot._internal import renewal
        renewal._restore_webroot_config(config, renewalparams)
        assert config.webroot_path == ['/var/www/']

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_webroot_params_conservation(self, mock_set_by_user):
        # For more details about why this test is important, see:
        # certbot._internal.plugins.webroot_test::
        #   WebrootActionTest::test_webroot_map_partial_without_perform
        from certbot._internal import renewal
        mock_set_by_user.return_value = False

        renewalparams = {
            'webroot_map': {'test.example.com': '/var/www/test'},
            'webroot_path': ['/var/www/test', '/var/www/other'],
        }
        renewal._restore_webroot_config(self.config, renewalparams)  # pylint: disable=protected-access
        assert self.config.webroot_map == {'test.example.com': '/var/www/test'}
        assert self.config.webroot_path == ['/var/www/test', '/var/www/other']

        renewalparams = {
            'webroot_map': {},
            'webroot_path': '/var/www/test',
        }
        renewal._restore_webroot_config(self.config, renewalparams)  # pylint: disable=protected-access
        assert self.config.webroot_map == {}
        assert self.config.webroot_path == ['/var/www/test']

    @mock.patch('certbot._internal.renewal._avoid_reuse_key_conflicts')
    def test_reuse_key_renewal_params(self, unused_mock_avoid_reuse_conflicts):
        self.config.elliptic_curve = 'INVALID_VALUE'
        self.config.reuse_key = True
        self.config.dry_run = True
        config = configuration.NamespaceConfig(self.config)

        rc_path = test_util.make_lineage(
            self.config.config_dir, 'sample-renewal.conf')
        lineage = storage.RenewableCert(rc_path, config)

        le_client = mock.MagicMock()
        le_client.obtain_certificate.return_value = (None, None, None, None)

        from certbot._internal import renewal

        with mock.patch('certbot._internal.renewal.hooks.renew_hook'):
            renewal.renew_cert(self.config, None, le_client, lineage)

        assert self.config.elliptic_curve == 'secp256r1'

    @mock.patch('certbot._internal.renewal._avoid_reuse_key_conflicts')
    def test_reuse_ec_key_renewal_params(self, unused_mock_avoid_reuse_conflicts):
        self.config.elliptic_curve = 'INVALID_CURVE'
        self.config.reuse_key = True
        self.config.dry_run = True
        self.config.key_type = 'ecdsa'
        config = configuration.NamespaceConfig(self.config)

        rc_path = test_util.make_lineage(
            self.config.config_dir,
            'sample-renewal-ec.conf',
            ec=True,
        )
        lineage = storage.RenewableCert(rc_path, config)

        le_client = mock.MagicMock()
        le_client.obtain_certificate.return_value = (None, None, None, None)

        from certbot._internal import renewal

        with mock.patch('certbot._internal.renewal.hooks.renew_hook'):
            renewal.renew_cert(self.config, None, le_client, lineage)

        assert self.config.elliptic_curve == 'secp256r1'

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_new_key(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        # When renewing with both reuse_key and new_key, the key should be regenerated,
        # the key type, key parameters and reuse_key should be kept.
        self.config.reuse_key = True
        self.config.new_key = True
        self.config.dry_run = True
        config = configuration.NamespaceConfig(self.config)

        rc_path = test_util.make_lineage(
            self.config.config_dir, 'sample-renewal.conf')
        lineage = storage.RenewableCert(rc_path, config)

        le_client = mock.MagicMock()
        le_client.obtain_certificate.return_value = (None, None, None, None)

        from certbot._internal import renewal

        with mock.patch('certbot._internal.renewal.hooks.renew_hook'):
            renewal.renew_cert(self.config, None, le_client, lineage)

        assert self.config.elliptic_curve == 'secp256r1'
        assert self.config.key_type == 'ecdsa'
        assert self.config.reuse_key
        # None is passed as the existing key, i.e. the key is not actually being reused.
        le_client.obtain_certificate.assert_called_with(mock.ANY, None)

    @mock.patch('certbot._internal.renewal.hooks.renew_hook')
    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_reuse_key_conflicts(self, mock_set_by_user, unused_mock_renew_hook):
        mock_set_by_user.return_value = False

        # When renewing with reuse_key and a conflicting key parameter (size, curve)
        # an error should be raised ...
        self.config.reuse_key = True
        self.config.key_type = "rsa"
        self.config.rsa_key_size = 4096
        self.config.dry_run = True

        config = configuration.NamespaceConfig(self.config)

        rc_path = test_util.make_lineage(
            self.config.config_dir, 'sample-renewal.conf')
        lineage = storage.RenewableCert(rc_path, config)
        lineage.configuration["renewalparams"]["reuse_key"] = True

        le_client = mock.MagicMock()
        le_client.obtain_certificate.return_value = (None, None, None, None)

        from certbot._internal import renewal

        with pytest.raises(errors.Error, match="Unable to change the --key-type"):
            renewal.renew_cert(self.config, None, le_client, lineage)

        # ... unless --no-reuse-key is set
        mock_set_by_user.side_effect = lambda var: var == "reuse_key"
        self.config.reuse_key = False
        renewal.renew_cert(self.config, None, le_client, lineage)

    @test_util.patch_display_util()
    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_remove_deprecated_config_elements(self, mock_set_by_user, unused_mock_get_utility):
        mock_set_by_user.return_value = False
        config = configuration.NamespaceConfig(self.config)
        config.certname = "sample-renewal-deprecated-option"

        rc_path = test_util.make_lineage(
            self.config.config_dir, 'sample-renewal-deprecated-option.conf')

        from certbot._internal import renewal
        lineage_config = copy.deepcopy(self.config)
        renewal.reconstitute(lineage_config, rc_path)
        # This means that manual_public_ip_logging_ok was not modified in the config based on its
        # value in the renewal conf file
        assert isinstance(lineage_config.manual_public_ip_logging_ok, mock.MagicMock)

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_absent_key_type_restored(self, mock_set_by_user):
        mock_set_by_user.return_value = False

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf', ec=False)

        from certbot._internal import renewal
        lineage_config = copy.deepcopy(self.config)
        renewal.reconstitute(lineage_config, rc_path)
        assert lineage_config.key_type == 'rsa'

    @test_util.patch_display_util()
    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    @mock.patch('certbot._internal.renewal.AriClientPool.get')
    @mock.patch('certbot._internal.main.renew_cert')
    @mock.patch("certbot._internal.renewal.datetime")
    def test_renewal_via_ari(self, mock_datetime, mock_renew_cert, mock_ari_client_get, mock_set_by_user, unused_mock_display):
        mock_set_by_user.return_value = False
        from certbot._internal import renewal
        acme_client = mock.MagicMock()
        mock_ari_client_get.return_value = acme_client
        past = datetime.datetime(2025, 3, 19, 0, 0, 0, tzinfo=datetime.timezone.utc)
        now = datetime.datetime(2025, 4, 19, 0, 0, 0, tzinfo=datetime.timezone.utc)
        future = datetime.datetime(2025, 4, 19, 12, 0, 0, tzinfo=datetime.timezone.utc)
        mock_datetime.datetime.now.return_value = now
        acme_client.renewal_time.return_value = past, future

        test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf', ec=False)
        config = configuration.NamespaceConfig(self.config)

        with mock.patch('time.sleep'):
            renewal.handle_renewal_request(config)

        mock_renew_cert.assert_called_once()
        # This value comes from `sample-renewal.conf` and is different than
        # the global default.
        expected_server = "https://acme-staging-v02.api.letsencrypt.org/directory"
        assert expected_server != config.server
        mock_ari_client_get.assert_called_once()
        assert mock_ari_client_get.call_args[0][0] == expected_server

    @test_util.patch_display_util()
    @mock.patch('acme.client.ClientNetwork.get')
    @mock.patch('certbot._internal.storage.RenewableCert.autorenewal_is_enabled')
    def test_no_network_if_no_autorenew(self, mock_autorenewal_enabled,
            mock_client_network_get, unused_mock_display):
        from certbot._internal import renewal
        mock_autorenewal_enabled.return_value = False

        test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf', ec=False)

        with mock.patch('time.sleep'):
            renewal.handle_renewal_request(self.config)

        assert mock_client_network_get.call_count == 0

    @mock.patch('acme.client.ClientV2')
    def test_dry_run_no_ari_call(self, mock_acme):
        from certbot._internal import renewal
        self.config.dry_run = True
        ari_client_pool = mock.MagicMock()
        ari_client_pool.get.return_value = mock_acme
        with mock.patch('time.sleep'):
            renewal.should_renew(self.config, mock.Mock(), ari_client_pool)
        assert mock_acme.renewal_time.call_count == 0

    def test_default_renewal_time(self):
        from certbot._internal import renewal
        cert_pem = make_cert_with_lifetime(datetime.datetime(2025, 3, 12, 00, 00, 00), 8)
        t = renewal._default_renewal_time(cert_pem)
        assert t == datetime.datetime(2025, 3, 16, 00, 00, 00, tzinfo=datetime.timezone.utc)

        cert_pem = make_cert_with_lifetime(datetime.datetime(2025, 3, 12, 00, 00, 00), 18)
        t = renewal._default_renewal_time(cert_pem)
        assert t == datetime.datetime(2025, 3, 24, 00, 00, 00, tzinfo=datetime.timezone.utc)

    @mock.patch("certbot._internal.storage.atomic_rewrite")
    @mock.patch("certbot._internal.renewal.datetime")
    def test_renew_before_expiry(self, mock_datetime, unused_mock_atomic_rewrite):
        """When neither OCSP nor the ACME client indicate it's time to renew,
           obey the renew_before_expiry config.
        """
        from certbot._internal import renewal

        # This certificate has a lifetime of 7 days, and the tests below
        # that use a "None" interval (i.e. choose a default) rely on that fact.
        #
        # Not Before: Dec 11 22:34:45 2014 GMT
        # Not After : Dec 18 22:34:45 2014 GMT
        not_before = datetime.datetime(2014, 12, 11, 22, 34, 45)
        short_cert = make_cert_with_lifetime(not_before, 7)

        ari_server = "http://ari"
        future = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=100000)
        ari_client_pool = MockAriClientPool(future, future)

        mock_renewable_cert = mock.MagicMock()
        mock_renewable_cert.server = ari_server
        mock_renewable_cert.autorenewal_is_enabled.return_value = True
        mock_renewable_cert.version.return_value = "/tmp/abc"
        mock_renewable_cert.ocsp_revoked.return_value = False
        mock_renewable_cert.configfile = configobj.ConfigObj()

        mock_datetime.timedelta = datetime.timedelta

        with tempfile.NamedTemporaryFile() as tmp_cert:
            tmp_cert.close()  # close now because of compatibility issues on Windows
            with open(tmp_cert.name, 'wb') as c:
                c.write(short_cert)

            mock_renewable_cert.version.return_value = tmp_cert.name

            # First, test cases where ARI returns a renewal_time far in the future
            for (current_time, interval, result) in [
                    # 2014-12-13 12:00 (about 5 days prior to expiry)
                    # Times that should result in autorenewal/autodeployment
                    (1418472000, "2 months", True), (1418472000, "1 week", True),
                    # With the "default" logic, this 7-day certificate should autorenew
                    # at 3.5 days prior to expiry. We haven't reached that yet,
                    # so don't renew.
                    (1418472000, None, False),
                    # Times that should not renew
                    (1418472000, "4 days", False), (1418472000, "2 days", False),
                    # 2014-12-16 20:00 (after the default renewal time but before expiry)
                    # Times that should not renew
                    (1418760000, None, False),
                    (1418760000, "1 day", False),
                    # 2009-05-01 12:00:00+00:00 (about 5 years prior to expiry)
                    # Times that should result in autorenewal/autodeployment
                    (1241179200, "7 years", True),
                    (1241179200, "11 years 2 months", True),
                    # Times that should not renew
                    (1241179200, "8 hours", False), (1241179200, "2 days", False),
                    (1241179200, "40 days", False), (1241179200, "9 months", False),
                    # 2015-01-01 (after expiry has already happened, so all
                    #            intervals should cause autorenewal/autodeployment)
                    (1420070400, "0 seconds", True),
                    (1420070400, "10 seconds", True),
                    (1420070400, "10 minutes", True),
                    (1420070400, "10 weeks", True), (1420070400, "10 months", True),
                    (1420070400, "10 years", True), (1420070400, "99 months", True),
            ]:
                sometime = datetime.datetime.fromtimestamp(current_time, datetime.timezone.utc)
                mock_datetime.datetime.now.return_value = sometime
                mock_renewable_cert.configuration = {"renew_before_expiry": interval}
                assert renewal.should_autorenew(mock_renewable_cert, ari_client_pool) == result, f"at {current_time}, with config '{interval}', ari response in future, expected {result}"

            # Now, test cases where ARI either fails (returns `(None, _)`) or
            # the cert has no `server` value and ARI is skipped
            ari_client_pool = MockAriClientPool(None, future)
            for (current_time, interval, result) in [
                    # 2014-12-13 12:00 (about 5 days prior to expiry)
                    # Times that should result in autorenewal/autodeployment
                    (1418472000, "2 months", True), (1418472000, "1 week", True),
                    # With the "default" logic, this 7-day certificate should autorenew
                    # at 3.5 days prior to expiry. We haven't reached that yet,
                    # so don't renew.
                    (1418472000, None, False),
                    # Times that should not renew
                    (1418472000, "4 days", False), (1418472000, "2 days", False),
                    # 2014-12-16 20:00 (after the default renewal time but before expiry)
                    # Times that should result in autorenewal/autodeployment
                    (1418760000, None, True), # Note that this result is different from the above
                    # Times that should not renew
                    (1418760000, "1 day", False),
                    # 2009-05-01 12:00:00+00:00 (about 5 years prior to expiry)
                    # Times that should result in autorenewal/autodeployment
                    (1241179200, "7 years", True),
                    (1241179200, "11 years 2 months", True),
                    # Times that should not renew
                    (1241179200, "8 hours", False), (1241179200, "2 days", False),
                    (1241179200, "40 days", False), (1241179200, "9 months", False),
                    # 2015-01-01 (after expiry has already happened, so all
                    #            intervals should cause autorenewal/autodeployment)
                    (1420070400, "0 seconds", True),
                    (1420070400, "10 seconds", True),
                    (1420070400, "10 minutes", True),
                    (1420070400, "10 weeks", True), (1420070400, "10 months", True),
                    (1420070400, "10 years", True), (1420070400, "99 months", True),
            ]:
                sometime = datetime.datetime.fromtimestamp(current_time, datetime.timezone.utc)
                mock_datetime.datetime.now.return_value = sometime
                mock_renewable_cert.configuration = {"renew_before_expiry": interval}
                mock_renewable_cert.server = ari_server
                assert renewal.should_autorenew(mock_renewable_cert, ari_client_pool) == result, f"at {current_time}, with config '{interval}', no ari response, expected {result}"
                mock_renewable_cert.server = None
                assert renewal.should_autorenew(mock_renewable_cert, ari_client_pool) == result, f"at {current_time}, with config '{interval}', skipped ari, expected {result}"

    @mock.patch("certbot._internal.storage.RenewableCert.ocsp_revoked")
    def test_should_autorenew(self, mock_ocsp):
        from certbot._internal import renewal

        mock_acme = mock.MagicMock()
        ari_server = "http://ari"
        future = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(seconds=1000)
        mock_acme.renewal_time.return_value = (future, future)
        ari_client_pool = mock.MagicMock()
        ari_client_pool.get.return_value = mock_acme
        mock_rc = mock.MagicMock()

        with mock.patch('certbot._internal.renewal.open', mock.mock_open(read_data=b'')):
            # Autorenewal turned off
            mock_rc.autorenewal_is_enabled.return_value = False
            mock_rc.server = ari_server
            assert not renewal.should_autorenew(mock_rc, ari_client_pool)
            mock_rc.server = None
            assert not renewal.should_autorenew(mock_rc, ari_client_pool)

            # Autorenewal turned on, mandatory renewal on the basis of OCSP
            # revocation
            mock_rc.autorenewal_is_enabled.return_value = True
            mock_ocsp.return_value = True
            assert renewal.should_autorenew(mock_rc, ari_client_pool)
            mock_rc.server = None
            with mock.patch('certbot._internal.renewal.logger.warning') as mock_warning:
                assert renewal.should_autorenew(mock_rc, ari_client_pool)
            # Ensure we warned about skipping ARI checks when server is None
            assert any(call.args[0].startswith('Skipping ARI check') for call in
                       mock_warning.call_args_list)

    @mock.patch("certbot._internal.storage.atomic_rewrite")
    @mock.patch('certbot._internal.storage.RenewableCert.ocsp_revoked')
    @mock.patch('acme.client.ClientV2.renewal_time')
    def test_resilient_ari_directory_fetches(self, mock_renewal_time, mock_ocsp,
                                             unused_mock_atomic_rewrite):
        from certbot._internal import renewal
        from acme import messages

        ari_server = 'http://ari'
        ari_client_pool = mock.MagicMock()
        ari_client_pool.get.side_effect = messages.Error()
        mock_rc = mock.MagicMock()
        mock_rc.server = ari_server
        mock_rc.configfile = configobj.ConfigObj()
        mock_rc.autorenewal_is_enabled.return_value = True
        mock_ocsp.return_value = True

        with mock.patch('certbot._internal.renewal.open', mock.mock_open(read_data=b'')):
            with mock.patch('certbot._internal.renewal.logger') as mock_logger:
                assert renewal.should_autorenew(mock_rc, ari_client_pool)

        assert mock_renewal_time.call_count == 0
        # Ensure we logged about skipping the ARI check and the underlying exception
        assert any('ARI' in call.args[0] for call in mock_logger.warning.call_args_list)
        assert any(call.kwargs.get('exc_info') for call in mock_logger.debug.call_args_list)

    @mock.patch('certbot._internal.storage.RenewableCert.ocsp_revoked')
    def test_resilient_ari_check(self, mock_ocsp):
        from certbot._internal import renewal

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf')
        renewable_cert = storage.RenewableCert(rc_path, self.config)

        ari_error = acme_errors.ARIError('some error', datetime.datetime.now())
        ari_client_pool = MockAriClientPool(None, None)
        ari_client_pool.mock_acme.renewal_time.side_effect = ari_error

        mock_ocsp.return_value = True

        with mock.patch('certbot._internal.renewal.open', mock.mock_open(read_data=b'')):
            with mock.patch('certbot._internal.renewal.logger') as mock_logger:
                assert renewal.should_autorenew(renewable_cert, ari_client_pool)
        # Ensure we logged about skipping the ARI check and the underlying exception
        assert any('ARI' in call.args[0] for call in mock_logger.warning.call_args_list)
        assert any(call.kwargs.get('exc_info') for call in mock_logger.debug.call_args_list)

    def test_stores_ari_retry_after(self):
        from certbot._internal import renewal

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf')
        renewable_cert = storage.RenewableCert(rc_path, self.config)

        renewal_time = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(
            seconds=1000)
        retry_after = datetime.datetime.now() + datetime.timedelta(seconds=1000)
        mock_ari_client_pool = MockAriClientPool(renewal_time, retry_after)

        # Check for renewal. As a side effect, this should cause the lineage config to be
        # updated with 'ari_retry_after' in the renewalparams section.
        renewal.should_autorenew(renewable_cert, mock_ari_client_pool)

        with open(renewable_cert.configfile.filename, 'r') as c:
            renewable_cert_config = configobj.ConfigObj(c)

        assert renewable_cert_config['acme_renewal_info']['ari_retry_after'] == retry_after.isoformat(
            timespec='seconds')

    def test_skips_ari_when_retry_after_future(self):
        from certbot._internal import renewal

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf')
        renewable_cert = storage.RenewableCert(rc_path, self.config)

        future = datetime.datetime.now() + datetime.timedelta(seconds=1000)
        storage.atomic_rewrite(rc_path,
           {"acme_renewal_info": {"ari_retry_after": future.isoformat(timespec="seconds")}})

        # ARI shouldn't be checked at all because retry after is in the future.
        mock_ari_client_pool = MockAriClientPool(None, None)
        mock_ari_client_pool.mock_acme.renewal_time.side_effect = errors.Error("Shouldn't be called")

        # Check for renewal. All we care about here is that renewal_time is not called; if it were,
        # an exception would be raised.
        renewal.should_autorenew(renewable_cert, mock_ari_client_pool)

    def test_checks_ari_when_retry_after_absent(self):
        from certbot._internal import renewal

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf')
        renewable_cert = storage.RenewableCert(rc_path, self.config)

        renewal_time = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(seconds=1000)
        retry_after = datetime.datetime.now() + datetime.timedelta(seconds=1000)
        mock_ari_client_pool = MockAriClientPool(renewal_time, retry_after)

        # The 'ari_retry_after' field is absent, so renewal_time _should_ be called.
        # We don't care about the return value of should_autorenew.
        renewal.should_autorenew(renewable_cert, mock_ari_client_pool)

        mock_ari_client_pool.mock_acme.renewal_time.assert_called_once()

    def test_checks_ari_when_retry_after_in_past(self):
        from certbot._internal import renewal

        rc_path = test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf')
        renewable_cert = storage.RenewableCert(rc_path, self.config)

        past = datetime.datetime.now() - datetime.timedelta(seconds=1000)
        storage.atomic_rewrite(rc_path,
                               {"acme_renewal_info": {"ari_retry_after": past.isoformat(timespec="seconds")}})

        renewal_time = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(seconds=1000)
        retry_after = datetime.datetime.now() + datetime.timedelta(seconds=1000)
        mock_ari_client_pool = MockAriClientPool(renewal_time, retry_after)

        # The 'ari_retry_after' field is in the past, so renewal_time _should_ be called.
        # We don't care about the return value of should_autorenew.
        renewal.should_autorenew(renewable_cert, mock_ari_client_pool)
        mock_ari_client_pool.mock_acme.renewal_time.assert_called_once()

class MockAriClientPool:
    def __init__(self, renewal_time, retry_after):
        self.mock_acme = mock.MagicMock()
        self.mock_acme.renewal_time.return_value = (renewal_time, retry_after)

    def get(self, server):
        return self.mock_acme


class RestoreRequiredConfigElementsTest(test_util.ConfigTestCase):
    """Tests for certbot._internal.renewal.restore_required_config_elements."""
    @classmethod
    def _call(cls, *args, **kwargs):
        from certbot._internal.renewal import restore_required_config_elements
        return restore_required_config_elements(*args, **kwargs)

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_allow_subset_of_names_success(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        self._call(self.config, {'allow_subset_of_names': 'True'})
        assert self.config.allow_subset_of_names is True

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_allow_subset_of_names_failure(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        renewalparams = {'allow_subset_of_names': 'maybe'}
        with pytest.raises(errors.Error):
            self._call(self.config, renewalparams)

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_pref_challs_list(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        renewalparams = {'pref_challs': 'http-01, dns'.split(',')}
        self._call(self.config, renewalparams)
        expected = [challenges.HTTP01.typ, challenges.DNS01.typ]
        assert self.config.pref_challs == expected

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_pref_challs_str(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        renewalparams = {'pref_challs': 'dns'}
        self._call(self.config, renewalparams)
        expected = [challenges.DNS01.typ]
        assert self.config.pref_challs == expected

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_pref_challs_failure(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        renewalparams = {'pref_challs': 'finding-a-shrubbery'}
        with pytest.raises(errors.Error):
            self._call(self.config, renewalparams)

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_must_staple_success(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        self._call(self.config, {'must_staple': 'True'})
        assert self.config.must_staple is True

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_must_staple_failure(self, mock_set_by_user):
        mock_set_by_user.return_value = False
        renewalparams = {'must_staple': 'maybe'}
        with pytest.raises(errors.Error):
            self._call(self.config, renewalparams)

    @mock.patch.object(configuration.NamespaceConfig, 'set_by_user')
    def test_ancient_server_renewal_conf(self, mock_set_by_user):
        from certbot._internal import constants
        self.config.server = None
        mock_set_by_user.return_value = False
        self._call(self.config, {'server': constants.V1_URI})
        assert self.config.server == constants.CLI_DEFAULTS['server']

    def test_related_values(self):
        # certbot.configuration.NamespaceConfig.set_by_user considers some values as related to each
        # other and considers both set by the user if either is. This test ensures all renewal
        # parameters are restored regardless of their restoration order or relation between values.
        # See https://github.com/certbot/certbot/issues/9805 for more info.
        renewalparams = {
            'server': 'https://example.org',
            'account': 'somehash',
        }
        self._call(self.config, renewalparams)
        self.assertEqual(self.config.account, renewalparams['account'])


class DescribeResultsTest(unittest.TestCase):
    """Tests for certbot._internal.renewal._renew_describe_results."""
    def setUp(self):
        self.patchers = {
            'log_error': mock.patch('certbot._internal.renewal.logger.error'),
            'notify': mock.patch('certbot._internal.renewal.display_util.notify')}
        self.mock_notify = self.patchers['notify'].start()
        self.mock_error = self.patchers['log_error'].start()

    def tearDown(self):
        for patch in self.patchers.values():
            patch.stop()

    @classmethod
    def _call(cls, *args, **kwargs):
        from certbot._internal.renewal import _renew_describe_results
        _renew_describe_results(*args, **kwargs)

    def _assert_success_output(self, lines):
        self.mock_notify.assert_has_calls([mock.call(l) for l in lines])

    def test_no_renewal_attempts(self):
        self._call(mock.MagicMock(dry_run=True), [], [], [], [])
        self._assert_success_output(['No simulated renewals were attempted.'])

    def test_successful_renewal(self):
        self._call(mock.MagicMock(dry_run=False), ['good.pem'], None, None, None)
        self._assert_success_output([
            '\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
            'Congratulations, all renewals succeeded: ',
            '  good.pem (success)',
            '- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
        ])

    def test_failed_renewal(self):
        self._call(mock.MagicMock(dry_run=False), [], ['bad.pem'], [], [])
        self._assert_success_output([
            '\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
            '- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
        ])
        self.mock_error.assert_has_calls([
            mock.call('All %ss failed. The following certificates could not be renewed:', 'renewal'),
            mock.call('  bad.pem (failure)'),
        ])

    def test_all_renewal(self):
        self._call(mock.MagicMock(dry_run=True),
                   ['good.pem', 'good2.pem'], ['bad.pem', 'bad2.pem'],
                   ['foo.pem expires on 123'], ['errored.conf'])
        self._assert_success_output([
            '\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
            'The following certificates are not due for renewal yet:',
            '  foo.pem expires on 123 (skipped)',
            'The following simulated renewals succeeded:',
            '  good.pem (success)\n  good2.pem (success)\n',
            '\nAdditionally, the following renewal configurations were invalid: ',
            '  errored.conf (parsefail)',
            '- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -',
        ])
        self.mock_error.assert_has_calls([
            mock.call('The following %ss failed:', 'simulated renewal'),
            mock.call('  bad.pem (failure)\n  bad2.pem (failure)'),
        ])


if __name__ == "__main__":
    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
